How to install Client Certificate in iOS 12.x using Apple Configurator 2
12100
Created On 03/04/19 07:33 AM - Last Modified 10/06/22 02:21 AM
Objective
- Starting iOS 12.x, if the certificate is imported directly on an endpoint (iPhone & iPAD) using methods such as email-based installation, VPN providers cannot access the certificate.
- The client certificate deployment needs to be done from either MDM or Apple Configurator 2.
- This article has steps to install Client Certificate in iOS 12.x using Apple Configurator 2.
Environment
- Apple endpoints (iPhone and iPAD) installed with iOS 12.x and later.
- GlobalProtect Agent version 5.0.0 and later.
Procedure
-
Open Apple Configurator 2
-
Connect your iPhone via USB (you may be prompted to download and install an update...do this, and wait for it to complete successfully)
-
Create a new Profile (File > New Profile)
-
Within the new profile, add your certificates (CA certificate, user certificate)
-
Within the new profile, create a VPN connection:a. Name the VPN connection GlobalProtectb. Connection Type = Custom SSLc. Identifier and Server are the DNS name of your GP Portald. Account is the username you're going to use (make sure it matches what's in the user cert) Basically, its the name configured under CN (Common Name) of the certificate.e. Under User Authentication > Authentication Type for Connection, select Certificatef. Under Credential for Authenticating the Connection, select the certificate you added to the profile (user cert).g. Save the profile and close the profile window
-
In the main Apple Configurator 2 window, double-click on your iPhone.
-
Click on the Profiles icon on the left
-
Click on the Add Profile button (or the plus in the top-right)
-
Select the profile you created above (this will push the profile to your iPhone)
-
You will likely be prompted to install the profile on your iPhone (it will need to be powered on and unlocked), and it will ask you for your passcode.